[Security] always check the token on non-lazy firewalls
This commit is contained in:
parent
2a91f28ed4
commit
797450d6b8
@ -18,6 +18,7 @@ use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface
|
|||||||
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
|
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
|
||||||
use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
|
use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
|
||||||
use Symfony\Component\Security\Http\AccessMapInterface;
|
use Symfony\Component\Security\Http\AccessMapInterface;
|
||||||
|
use Symfony\Component\Security\Http\Event\LazyResponseEvent;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* AccessListener enforces access control rules.
|
* AccessListener enforces access control rules.
|
||||||
@ -51,6 +52,10 @@ class AccessListener implements ListenerInterface
|
|||||||
*/
|
*/
|
||||||
public function __invoke(RequestEvent $event)
|
public function __invoke(RequestEvent $event)
|
||||||
{
|
{
|
||||||
|
if (!$event instanceof LazyResponseEvent && null === $token = $this->tokenStorage->getToken()) {
|
||||||
|
throw new AuthenticationCredentialsNotFoundException('A Token was not found in the TokenStorage.');
|
||||||
|
}
|
||||||
|
|
||||||
$request = $event->getRequest();
|
$request = $event->getRequest();
|
||||||
|
|
||||||
list($attributes) = $this->map->getPatterns($request);
|
list($attributes) = $this->map->getPatterns($request);
|
||||||
@ -59,7 +64,7 @@ class AccessListener implements ListenerInterface
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (null === $token = $this->tokenStorage->getToken()) {
|
if ($event instanceof LazyResponseEvent && null === $token = $this->tokenStorage->getToken()) {
|
||||||
throw new AuthenticationCredentialsNotFoundException('A Token was not found in the TokenStorage.');
|
throw new AuthenticationCredentialsNotFoundException('A Token was not found in the TokenStorage.');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -18,6 +18,7 @@ use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterfac
|
|||||||
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
|
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
|
||||||
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
|
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
|
||||||
use Symfony\Component\Security\Http\AccessMapInterface;
|
use Symfony\Component\Security\Http\AccessMapInterface;
|
||||||
|
use Symfony\Component\Security\Http\Event\LazyResponseEvent;
|
||||||
use Symfony\Component\Security\Http\Firewall\AccessListener;
|
use Symfony\Component\Security\Http\Firewall\AccessListener;
|
||||||
|
|
||||||
class AccessListenerTest extends TestCase
|
class AccessListenerTest extends TestCase
|
||||||
@ -219,7 +220,7 @@ class AccessListenerTest extends TestCase
|
|||||||
->willReturn($request)
|
->willReturn($request)
|
||||||
;
|
;
|
||||||
|
|
||||||
$listener($event);
|
$listener(new LazyResponseEvent($event));
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testHandleWhenTheSecurityTokenStorageHasNoToken()
|
public function testHandleWhenTheSecurityTokenStorageHasNoToken()
|
||||||
|
Reference in New Issue
Block a user